------------------------------------------------------------------ DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability ------------------------------------------------------------------ [-] Software Link: http://dleviet.com/ [-] Affected Version: 9.7 only. [-] Vulnerability Description: The vulnerable code is located in the /engine/preview.php script: 246. $c_list = implode (',', $_REQUEST['catlist']); 247. 248. if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) { 249. $tpl->copy_template = preg_replace( "#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}')", $tpl->copy_template ); 250. } 251. 252. if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) { 253. $tpl->copy_template = preg_replace( "#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}', false)", $tpl->copy_template ); 254. } User supplied input passed through the $_REQUEST['catlist'] parameter is not properly sanitized before being used in a preg_replace() call with the e modifier at lines 249 and 253. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires a template which contains a “catlist” (or a “not-catlist”) tag. [-] Solution: Apply the vendor patch: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html [-] Disclosure Timeline: [16/01/2013] - Vendor notified [19/01/2013] - Vendor patch released [20/01/2013] - CVE number requested [21/01/2013] - CVE number assigned [28/01/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1412 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-01Брой прочитания на тази страница: 1310
DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability